Upgrade to 9 SAML failure

Issue Summary

After upgrading from redash:latest SAML login fails.
In the browser I see -

Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Looking in the logs revealed an error -

[2021-02-06 12:56:30,602][PID:10][ERROR][redash.app] Exception on /saml/callback [POST]
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/local/lib/python3.7/site-packages/flask_restful/__init__.py", line 269, in error_router
    return original_handler(e)
  File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/local/lib/python3.7/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.7/site-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/app/redash/authentication/saml_auth.py", line 85, in idp_initiated
    authn_response.ava["FirstName"][0],
KeyError: 'FirstName'

Technical details:

  • Redash Version: redash/redash:9.0.0-beta.b42121
  • Browser/OS: Chrome/MacOS 10.14.6
  • How did you install Redash: K8S

The SAML config I use in Keycloak had FirstName as the friendly name, which worked in the previous latest redash image.

The attribute names were something like - urn:oid:2.5.4.4.
So I modified them to match the friendly names, and everything worked again.
I’m guessing the previous version looked at the friendly name, or was able to map the attribute a different way.

I also faced Similar kind of error. In My Case, I am using Azure AD as IDP. And Redash in a self-hosted environment.

Maybe my solution can help other people.

Changes from Redash UI:

  1. SAML Metadata URL : https://login.microsoftonline.com/823yyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyy/federationmetadata/2007-06/federationmetadata.xml?appid=avbdgh-aaaa-aaaa-aaaa-aaaaaaaa
  2. SAML Entity ID : avbdgh-aaaa-aaaa-aaaa-aaaaaaaa
  3. SAML NameID Format : urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Note: In your case Directory and appid will be different (i.e. Point No. 1 & 2)

Changes from Redash Backend: Update "redash/authentication/saml_auth.py’ File

This line was given me error: authn_response.ava[“FirstName”][0]
I removed old code with this new code i.e. name = email.split(".")[0] which solved my problem.

Vaibhav